Nexus between NFTs and AML

As an object of legal qualification and ruling, NFTs have received well-deserved attention from the EU policymakers in the Markets in Crypto Assets (MiCA) regulation. The rules are clear that MiCA does not apply to unique and non-fungible crypto-assets. However, a detailed explanation of how an asset is determined to be a NFT is yet to come. The European Banking Authority is commissioned with providing definitions and clarifications on the “indicator of fungibility”.

Across the Atlantic, it has been challenging for U.S. legislators to pass specific NFT regulations. They struggle to differentiate between NFTs as digital representations of real-world objects, bought, stored, and swapped between collectors; and other digital assets. Questions remain about how they should be regulated and whether some NFTs are securities. Legislative specifics of this kind are outside the scope of this article.

Amid the global storm of regulatory maneuvers, the Financial Action Task Force (FATF) has cemented its role as an international standard-setting body for financial activities involving virtual assets. In the latest Guidance published in June 2022, the organization notes that NFTs that are unique and used in practice as collectibles rather than as payment or investment instruments are not virtual assets for purposes of the FATF standards. For those NFTs, the strict AML/CFT requirements shall be excluded in general. Nonetheless, once the virtual assets benchmark is triggered, i.e. the NFT is found to be widely used for payment or investment purposes, the jurisdiction should apply the high-level standards typical for the operations with virtual assets. In effect, FATF opened the door for a big digital artwork party but placed a solidly built bouncer in front of the clubhouse.

So far, no strict rules have been observed. Of course, there is no complete happiness, right? Alongside a sweet influx of funds into NFT marketplaces, complex scams amounting to over $100 million were publicly reported between July 2021 and July 2022, casting a shadow in that way over the market stability.

All the figures, graphs and visualizations in this article are sourced from the reports of two prominent blockchain analysis providers: Chainalysis and Elliptic.

What Do the Rule Books Say?

NFT marketplaces were not directly subject to the EU’s Anti-money Laundering Fifth Directive published May 30, 2018. The NFT business model was not sufficiently understood at the time these rules were implemented. At the same time, the scope of the Directive is broad enough to cover the exchange of NFTs for cryptocurrency.

To the extent that NFT businesses resemble conventional art dealers, they fall within the scope of the Directive along with virtual currency exchange service providers. Anyone involved with trading or intermediation in the trade of works of art for more than 10,000 EUR must build a reliable customer due diligence program, apply a risk-based approach to their clients, and report any suspicious activity.

In February 2022, the U.S. Department of Treasury brought some clarity to money laundering vulnerabilities of digital art markets. Their Study introduced NFTs as “digital units, or tokens, on an underlying blockchain that represent ownership of images, videos, audio files, and other forms of media or ownership of physical or digital property; bearer instruments that codify the ownership of a unique digital asset, such as a piece of high-value digital art and are managed via smart contracts and digital wallets”. The imminent threat comes from the characteristics of virtual assets and the structure of transactions with digital art.

For example, a NFT purchased by a criminal with ill-gotten funds can be used for a transaction with an unsuspecting bona fide buyer. The transfer of ownership between digital wallets or smart contracts is publicly verifiable and auditable on a blockchain, which gives the bad actor a legitimate explanation for the sale and cuts the ties with a previous crime. Transaction velocity along with the absence of third-party services like shipping, insurance, or customs representatives makes it even more convenient for the criminal to launder the money and get a safe exit without leaving administrative trails.

Another factor is the smart contracts that are used to govern the ownership and transferability properties of NFTs which can be set up to generate revenue each time a NFT transaction is recorded on a blockchain. Certainly, the artists would get fair compensation for their work in this way, but it would also create an incentive for running a marketplace where rapid transfers are possible without diligent assessment of the deal, customer verification, or transaction monitoring. Such a hypothetical scenario involves an increased risk of money laundering due to an unrealistically high volume of transfers, non-compliance with AML/KYC principles, and lack of technical understanding of blockchain technology required to practice effective customer due diligence in this space.

Consistent with the FATF Guidance, the Treasury’s Study stated that collectibles which do not meet payment or investment instruments qualification criteria should not be considered virtual assets under the FATF definition. Regardless of the treatment of the object of exchange, some NFT platforms may still qualify as VASPs. Depending on the characteristics of the NFTs that they offer or the market they operate in, the platforms could be exposed to stringent AML/CTF regulations e.g. obligations under the Financial Crimes Enforcement Network (FinCEN)’s rules for money service businesses if they are doing business in the United States.

Washing Off JPEGs

With around $44.2 billion worth of cryptocurrency sent in 2021 to ERC-721 and ERC-1155 contracts — Ethereum smart contracts associated with NFT marketplaces and collections — criminals had plenty of opportunities to experiment with the developing sector. The two main forms of illicit activity observed by Chainalysis are wash trading to artificially increase the value of NFTs and money laundering through the purchase of NFTs.

1. Wash Trading

As defined by the U.S. Commodity Futures Trading Commission (CFTC), the term means “entering into, or purporting to enter into, transactions to give the appearance that purchases and sales have been made, without incurring market risk or changing the trader’s market position”. Using NFTs, the goal would be to pump the price of the piece of digital art by making a fictitious sale to a new wallet under his/her control and ownership. As long as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform, with no need to identify themselves, it will be easy for the bad actor to make the NFT look more valuable than it really is. A thorough blockchain exploration led by Chainalysis reviewed NFT sales to self-financed addresses, meaning they were funded either by the selling address or by the address that initially funded the selling address. Investigation revealed hundreds of wash trades carried out in this manner.

In a typical wash trading case, one would perform multiple transactions in a rapid consequence without taking market risk. The simplest form is one address quickly reselling an NFT at a price much higher or lower than the purchase one. Selling low may be reasonable for the wash trader who aims to report a loss for tax purposes, for instance.

More sophisticated cases investigated by Elliptic involve a bunch of addresses interacting with each other. They may belong either to the same user or to close associates. Distinctive for this kind of activity is а series of contemporaneous transactions: address A sells NFT to address B, which in turn instantly transfers back to address A.

Sometimes wash traders abuse NFT popularity for financial gains. A popular concept for increasing virtual asset prices is promotion through various publications, articles, reviews and online discussions. In a situation where vanity is generated through notable trades, users can blindly follow the trend and drive up the price for future sales; as an example see the sale of Cryptopunk #9998 for 124,457 ETH ($532 million).

Another typology for overvaluation is observed with projects and marketplaces that have active-user reward programs. Usually, users are incentivized to stake, swap, or trade on the platform for remuneration in the form of a specific platform-native token. To the extent that the program is built around trading volumes, traders may deliberately overvalue their NFTs to maximize the rewards. Elliptic pointed out the manipulation of Meebit #13824, with trades of up to $50.6 million (321,099% above the floor price).

The existence of NFT wash trading is something of a murky legal area that has not yet been approached by law enforcement. In contrast, a prohibition on wash trading of conventional securities and futures has been in place going back to the Commodity Exchange Act in 1936. Similar reliable boundaries could be set once regulators start applying existing anti-fraud and money laundering preventive measures to new NFT markets.

1. Good Old Money Laundering … in Fancy Clothes

Bearing in mind that NFT price performance is strictly dependent on community support and larger market trends, someone with a vested interest in manipulation could easily benefit from these factors. Pieces of digital art predominantly consisting of cartoon-style, computer-generated JPEGs could arguably be considered worthless….or priceless.

It is the volatile value and utility characteristics of NFTs that make them highly vulnerable to trade-based money laundering. FATF defines trade-based money laundering as “the process of disguising the proceeds of crime and moving value through the use of trade transactions in an attempt to legitimise their illicit origins.” This result may be achieved through the misrepresentation of the price, quantity or quality of traded assets. A typical example is a fraudulent invoice issued by one of the conspiring parties allowing the other — the recipient of goods — to either overpay or underpay depending on the projected cash flow. The outcome of the fraudulent scenario is invoicing and transfer of funds under the guise of a commercial transaction.

Luxury items, including those that are digital, are a prominent vehicle for money laundering due to the ease with which the price or quantity can be manipulated. Thus the source of illicit wealth may be justified through legitimate NFT trading. The tax authorities or financial institutions usually do not have the ability to verify the objective price of the NFT and logically encounter difficulties determining whether the person’s explanation is reasonable and legitimate.

Elliptic revealed a wallet that allegedly stored phishing scam proceeds amounting to $1.2 million with significant trading volumes on UniSwap. On January 28, 2022 a Bored Ape NFT was purchased using $435,000 of the wallet balance — a textbook case of legitimizing illicit income. Being the most expensive NFT collection at the time, Bored Apes became attractive for storing and justifying illicit funds because of the collection’s high value and low risk.

Trade-based money laundering techniques flourish in complexity and are frequently used in combination with other money laundering techniques to further obscure the money trail. Launderers rarely resort to direct deposits with centralized platforms or marketplaces without first disguising the illicit proceeds. For the purpose of obfuscation, criminals will choose mixers (websites or software used to create a disconnection between a user’s deposit and withdrawal), P2P exchanges (platforms that facilitate the cryptocurrency exchange between two individuals while the intermediary is not in direct possession of the funds and does not require any KYC), or crypto ATMs (they operate similar to normal fiat ATMs but certain KYC deficiencies may be exploited). These services, which are usually labelled by reputable blockchain analytics solutions as providers posing medium to high risk, grant the perpetrators the opportunity to disassociate themselves from the underlying criminal activity and break their transaction trail. Exposure of NFT platforms to ETH originating from obfuscating sources between Q4 2017 and Q2 2022, as measured by Elliptic, counts up to $137.6 million for mixers and $133.9 million for cross-chain bridges.

Тo draw a clear line of demarcation: the use of these services does not imply that the user is a criminal or that their funds are illicit. There are many legal uses of said services, from privacy protection through online gambling to deeper adoption of blockchain protocol tokens.

The Sanctions Trap

In 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory to emphasize the sanctions risks arising from dealings in high-value artwork associated with persons blocked pursuant to OFAC’s authorities, including persons on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List). When read along with FinCEN’s advanced notice of proposed rulemaking for dealers in antiquities, it could be established that NFTs show certain features typical for high-value art and collectables that may be exploited by money launderers and terrorist financiers to evade detection by law enforcement. These characteristics include client confidentiality or unregulated customer due diligence practices, varying practices in accurately documenting provenance, subjectivity of prices, and predisposition to be used to transport value across borders without reporting to authorities or detection by law enforcement agencies.

OFAC notes that U.S. citizens are prohibited from engaging in transactions, directly or indirectly, with persons on the SDN List and other blocked persons under the threat that an offender may be held civilly liable even if he did not know or has reason to know he was engaging in prohibited conduct.

The warning came true in September 2021 when SUEX OTC S.R.O. got battered for facilitating financial transactions for ransomware actors. SUEX goes down in history as the first crypto assets exchange to be sanctioned by OFAC. Latvian-based Chatex followed them a few days later. More than half of their known transactions directly led to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware. Among the sanctioned Ethereum addresses of Chatex, one reportedly held 42 NFTs with a total worth of around $531,600 at the time of sanctions. Despite the immediate ban imposed by OpenSea, this marks the first time NFTs became involved with the sanctions regime due to the fact they are possessed by individuals accused of cybercrime and money laundering.

Lack of exemption from OFAC Regulation for high-value artwork could be, in theory, also applied to NFTs. In the advisory note, OFAC clearly states that it “does not interpret this exemption to allow blocked persons or their facilitators to evade sanctions by exchanging financial assets such as cash, gold, or cryptocurrency for high-value artwork or vice versa”. To the present date, no updated guidance has been issued, leading to the assumption that OFAC restrictions encompass the exchange of the aforementioned assets for high-value digital art as well.

Instead of Final Words Here’s an AML First Aid Kit

In the uncertain environment of evolving regulations and growing exposure to financial crime, NFT businesses are faced with the need to be decisive. The initiative to implement appropriate preventive measures must be theirs, as no one knows the industry better than the native players. Recommendation notes by The Royal United Services Institute (RUSI) are an excellent example of setting a direction for how money laundering risks can be mitigated. This UK security think-tank has pointed out that NFTs are most often purchased with cryptocurrency on online marketplaces; therefore, the AML standards of centralized exchanges can be easily applied to online auction houses for NFTs. They recommend the introduction of two-factor authentication for consumers and confirmation that cyber security measures are in place to protect against opportunistic hackers.

То improve their chances of counteracting the illicit activity, firms should have a holistic approach to the problem. Below are recommended steps to build a reliable AML system:

1. Create a risk assessment model measuring risks emerging from the clients, product, services, and transactions risks, delivery channels and geographical region.
2. Set clear customer onboarding criteria consistent with the company’s risk appetite.
3. Enable sound AML/counter terrorism financing procedures for ongoing monitoring allowing disclosure of information about suspicious operations, transactions and customers to the competent authorities.
4. Conduct due diligence on NFTs.
5. Set up cryptocurrency transaction monitoring software that automatically detects and alerts to patterns of potential high risk activity and addresses identified on OFAC’s sanctions list.
6. Develop a registry of stolen or fraudulently purchased NFTs similar to the Art Loss Register.